On Tue, 2022-04-19 at 23:33 +0200, Jonas Smedegaard wrote: > I do not think that we should impose on our users to trust black magic > by default, though. > > I think that all non-free code distributed by Debian (be that code > executed on the main CPU, and code uploaded to external devices, and > code served to other people's web browsers) should be easy to use but > opt-in, not (some of it) opt-out. Because we cannot reasonably know > what it realy does and therefore not reasonably decide if sensible to > trust or not. We can only blindly assume that "newer is better".
It's firmware. If you have an x86 CPU there's no opting in or opting out, you and every one Debian user are using non-free microcode, whether you like it or not. The only difference is whether it's an old version, vulnerable to known and exploited security bugs, or not. Pretending it doesn't exist won't make it go away, won't make a machine "free", and won't help any cause. It's simply pushing the problems away from the distribution maintainers down to the users, and we know for a fact they are very real and very tangible problems. We know that newer is better: CVE numbers are there to prove it. You can't reasonably "know" what your hardware does anyway, unless you've got a degree in electronic engineering, industrial acid, an electron microscope and a whole lot of spare time. As mentioned earlier, modern machines are networks of hundreds of components, most if not all of which is proprietary hardware. You have to blindly trust it. The act of running a given machine _is_ the opt-in to trust that hardware and all its various firmwares, some of which happen to be updatable (which is a good thing). -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part